Risc free internet sharing

Requirements

• a linux box with internet connectivity and a free network card
• an access point - I used a Linksys WRT54G

What to do

• connect the access point to the free network card of the linux box
  If the device has a port called 'WAN' or 'Internet' or something similar, use that one.
  
• configure an ip address on the linux box and configure the WAN-port of the access point to have an ip-address in the same segment
  Also point the default gateway of the access point as well as the DNS to your linux box.
  If the access point you use does not do NAT, then you have to set-up a DHCP server on the linux box as well.
• set-up tor on the linux box. add the following lines at the top of the Tor configuration file. replace 192.168.156.1 with the ip address of the network-card on the linux box
  

  AutomapHostsOnResolve 1
  TransPort 9040
  TransListenAddress 127.0.0.1
  TransListenAddress 192.168.156.1
  DNSPort 53
  DNSListenAddress 127.0.0.1
  DNSListenAddress 192.168.156.1
  SocksListenAddress 192.168.156.1:9100
  SocksPolicy accept 192.168.156.0/24
  

• create a script with the following code. make sure it is invoked when the network is activated on the linux box:

  #! /bin/sh
  
  export PATH=/usr/sbin:/sbin:$PATH
  
  ### init
  modprobe ip_tables
  modprobe ip_conntrack_ftp
  modprobe ip_nat_ftp
  modprobe ip_nat_irc
  modprobe ip_conntrack_irc
  echo 0 > /proc/sys/net/ipv4/ip_forward
  
  ### flush
  iptables -F INPUT
  iptables -F OUTPUT
  iptables -F FORWARD
  iptables -t nat -F PREROUTING
  iptables -t nat -F POSTROUTING
  ip6tables -F INPUT
  ip6tables -F OUTPUT
  ip6tables -F FORWARD
  
  ### setup
  ip6tables -A FORWARD -i eth1 -j REJECT
  ip6tables -A INPUT -i eth1 -j REJECT
  
  # DNS through TOR
  iptables -A INPUT -i eth1 -p tcp --destination-port 53 -j ACCEPT
  iptables -A INPUT -i eth1 -p udp --destination-port 53 -j ACCEPT
  
  # to help nmap :-)
  iptables -A INPUT -i eth1 -p tcp --destination-port 80 -j REJECT
  
  # ping to "dns"
  iptables -A INPUT -i eth1 -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT # echo reply
  iptables -A INPUT -i eth1 -p icmp --icmp-type 3 -m limit --limit 2/s -j ACCEPT # destination unreachable
  iptables -A INPUT -i eth1 -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT # echo request
  iptables -A INPUT -i eth1 -p icmp --icmp-type 11 -m limit --limit 2/s -j ACCEPT # time exceeded
  iptables -A FORWARD -i eth1 -p icmp -j REJECT --reject-with icmp-host-unreachable
  # ssh to 'server'
  iptables -A INPUT -i eth1 -p tcp --destination-port 22 -j ACCEPT
  # ntp to 'server'
  iptables -A INPUT -i eth1 -p udp --destination-port 123 -j ACCEPT
  
  # redirect all tcp traffic
  iptables -t nat -A PREROUTING -i eth1 -p tcp --syn -j REDIRECT --to-ports 9040
  iptables -A INPUT -i eth1 -p tcp --destination-port 9040 -j ACCEPT
  # ntp
  iptables -t nat -A PREROUTING -i eth1 -p udp --destination-port 123 -j REDIRECT --to-ports 123
  
  iptables -A FORWARD -i eth1 -j REJECT --reject-with icmp-admin-prohibited
  iptables -A INPUT -i eth1 -j REJECT --reject-with icmp-proto-unreachable
  
  /sbin/wondershaper eth1 512 512
  
  echo 1 > /proc/sys/net/ipv4/ip_forward
  

  In this example, eth1 is the network-interface to which the access point is connected.
• this script will automatically route all IPv4 tcp-traffic through tor. all other traffic (including IPv6) is blocked. only ssh to the linux box as well as ntp-traffic is allowed.
• the 'wondershaper'-line at the end limits the traffic to 0.5Mb up- and down

Verify

• connect to the access point
• surf to https://check.torproject.org/ - it'll tell you wether you're surfing through tor or not
• try, using for example Nmap to portscan the network interface to which the access point is connected (192.168.156.1 in my example)